WIRED's biggest stories, delivered to your inbox

Gonzalez Accomplice Gets Probation for Selling Browser Exploit

A computer security professional who sold Internet Explorer exploit code to credit card hacker Albert Gonzalez was sentenced Tuesday in Boston to three years probation and a $10,000 fine.

Jeremy Jethro, 29, was paid $60,000 by Gonzalez for a zero-day exploit against Microsoft’s browser, “the purpose and function of which was to … enable the conspirators to unlawfully gain access to, and redirect, individual’s computers,” according to court records.

Gonzalez led a team of hackers who gained unauthorized access to company networks and stole more than 90 million credit and debit card numbers, though it’s not clear what role, if any, the $60,000 zero-day played in the attacks. Jethro’s attorney, Stacey Richman, told Threat Level the exploit was a dud.

“The exploit never worked,” she said. “None of them worked. There was a question of potentially two [exploits] and neither of them worked.”

Jethro pleaded guilty to a misdemeanor conspiracy charge for providing the malware. Under Tuesday’s sentence, Jethro will be confined at home, under electronic monitoring, for the first six months of his three-year-long probation.

Richman said Jethro did not know Gonzalez’s intended use for the exploit. She also said the judge took into consideration her client’s life change in 2006 when he turned to Christianity and “renounced any aspect of any wrongful behavior.”

She said Jethro, who is currently working in the computer industry “had spent the years since then entirely in a very proper manner.”

He’s the third person to be sentenced for conspiring with Gonzalez in criminal activity. Last December, Stephen Watt, a former coder for Morgan Stanley, was sentenced to two years in prison for providing a sniffer to Gonzalez that helped him siphon card data from TJX’s corporate network. Watt was also ordered to pay restitution to TJX in the amount of $171.5 million.

Earlier this month, Humza Zaman, a former network security manager at Barclays Bank, was sentenced to 46 months in prison and fined $75,000 for serving as a money courier for Gonzalez. He was charged with laundering between $600,000 and $800,000 for Gonzalez.

Gonzalez is scheduled to be sentenced this week in Boston for his role in the hacks of TJX, Dave & Busters, Hannaford Brothers, 7-Eleven and Heartland Payment Systems. He faces a sentence of between 17 and 25 years. Prosecutors are asking for the latter.

18:30: This article was updated to add comment from Richman, and to correct an error. Jethro’s charge did not link him to Gonzalez’s credit card thefts.